AnnouncementsFunnyVideosMusicAncapsTechnologyEconomicsPrivacyGIFSCringeAnarchyFilmPicsThemesIdeas4MatrixAskMatrixHelpTop Subs
2

So I really need to add something like clownflare to my website. The posts from bots now get rejected consistently, but they still visit and I go over my quotum as a result. I don't like clownflare because it's too much centralization of data, people's passwords will be in their hands. Does anyone know of a good alternative?

Comment preview
[-]x0x7
0(+0|0)

You have a visit quota on your website? Bots are a good thing. You want them to browse your site.

That is true about the passwords. It's unfortunately nearly impossible to have anything that could stop bots (have an idea of there specific visiting patterns like where they visit) and also not make passwords interceptable by cloudflare. Unless you used a system where people sign a random piece of content with a private key on client side. Or used some kind of pgp where they use your public key to encrypt both their password and a timestamp and sent that. Or used a diffie-helman key exchange over https treating the https as if it were a public untrusted channel and basically ran https over https for certain things. Or used pbkdf2 on the client side to convert their password into a salt and then used that salt plus a timestamp and a nonce in a SHA1 hash making an HMAC that they could send with the timestamp and the nonce they used. Basically HMAC signing.

I almost understand most of that! Yeah! Now we need to use the oclhashcat to sniff out the cow patty while reversing the pixie dust over the aircrack, but be careful and dont jump the wireshark!

[-]LarrySwinger
1(+1|0)

I lol'd.

[-]LarrySwinger
0(+0|0)

It's a free host and on some days I hit the resource limit for CPU usage or Mysql queries. These are caused by bots who fail to post now but still keep trying. I suppose a simpler solution is to switch to paid hosting. And another thing I had in mind was to use a less popular clownflare alternative that perhaps operates from eastern Europe / Russia / China or whatever so that they don't have to turn anything over to the NSA. What's your opinion about that? I'm not sure if it makes sense when the content delivery is by nature global, they will have servers in problem countries, but maybe it helps if the business is based in a non-cucked country?

[-]x0x7
0(+0|0)

Europe is a part of five eyes and can actually spy on you and your users more than is allowed when 100% domestic. Any company that operates in China gives all data to China or a mole inside the company helps get it so the top brass of the location have plausible deniability for not giving things to china, and they will be in trouble if they out the mole who is supposed to be there.

Russia, maybe that's ok. There is a risk of them trying to use you as a malware vector, but I guess that's just as likely anywhere either from them, the US, or Israel, no matter where you are.

You could deny the bots any response so they stop navigating to your forms.

[-]LarrySwinger
0(+0|0)

Any company that operates in China gives all data to China

Yes but it won't affect me. I'd rather China has my data than the NSA. If everyone just uses services from the other pole, we can all enjoy quality services without being repressed by our own governments.

You could deny the bots any response so they stop navigating to your forms.

With htaccess?

[-]x0x7
0(+0|0)

With htaccess?

See, php and Apache are really technologies outside of my wheel house, so I don't know. I come from the nodejs world where everything is code so knowing the right config to touch isn't a thing. You just write code to do the thing you want.

In either case you would need to store a file or database entries of ip addresses that had some access pattern you don't like. I have some doubts that htaccess could consume that database or file. So you could also do it in php directly.

But htaccess might be able to block anyone from accessing those urls and that might be considered a fail to fail2ban, and then fail2ban would persist the IPs and drop connections.

That's something you could research. But I'm o the practice "why set up a complicated config that might contradict some other config needs later if I can just write simple code instead?" So if it were me I'd just write that php. Or more realistically because I don't write php every day, ask Claude.ai to do it.

[-]x0x7
0(+0|0)

Also this is one of the bad things about php. If bots sniff that you have php they start attempting access to every kind of admin panel that ships with any php project.

I don't know if you have read your logs, but if an IP besides yours is attempting to access any admin anything, even if not related to phpbb, refuse to serve them another byte.

There are different ways to do that. Fail2ban is one. The downside of fail2ban in your case is it isn't that lightweight and considering you are so strictly metered your host might fail2ban you.